I recently setup a Docker implementation on a Test Server (CentOS 8). Pulled down the Splunk Base Enterprise container and got it working with no issues. Obviously there were no events going to it since I hadn't pulled a universal forwarder yet. So I pulled down the UF and got it working too and events started flowing into my Splunk base container - all was good. Then I shut down the server and have several times since but when I start the base Splunk container and leave the forwarder off - I am still getting events flowing into base Splunk container. It doesn't seem to matter if I start the forwarder or leave it off - I still get events. Is this normal behavior? I cannot find any documentation on why I would still be getting events with the forwarder off.
Yes this is 100000% normal because Splunk is continuously monitoring itself. Even though your universal forwarder container is turned off and/or not sending data to your base Splunk container, that base Splunk container continues to ingest data from itself.
See this Splunk Docs page on What Splunk software logs about itself